Legal

Data Processing Agreement

Last updated: June 18, 2026

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service(the “Agreement”) between the customer (“Customer,” “you”) and Nudgy(“Nudgy”) and governs Nudgy's Processing of Personal Data contained in Customer Content. It applies to the extent Nudgy Processes Personal Data on Customer's behalf and to which Applicable Data Protection Laws apply. By accepting the Agreement, Customer enters into this DPA on behalf of itself and the organization it represents.

↓ Download a copy of this DPA (Markdown) — for execution alongside a signed Order. Capitalized terms used but not defined here have the meaning given in the Agreement.

1. Definitions

  • “Applicable Data Protection Laws”means all data-protection and privacy laws applicable to the Processing of Personal Data under this DPA, including Canada's PIPEDA and substantially similar provincial legislation and, where applicable, the EU/UK GDPR.
  • “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the GDPR, and equivalent terms in other Applicable Data Protection Laws are construed accordingly.
  • “Customer Personal Data”means Personal Data contained in Customer Content that Nudgy Processes on Customer's behalf under the Agreement.
  • “Subprocessor” means any third party engaged by Nudgy to Process Customer Personal Data.
  • “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission for the transfer of Personal Data to third countries, and, for the United Kingdom, the UK International Data Transfer Addendum.

2. Roles & scope of Processing

As between the parties, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Nudgy is the Processor of Customer Personal Data. Nudgy will Process Customer Personal Data only:

  1. to provide, secure, support, and maintain the Service in accordance with the Agreement;
  2. on Customer's documented instructions, including those set out in this DPA and given through Customer's use of the Service; and
  3. as required by law to which Nudgy is subject, in which case Nudgy will, where permitted, inform Customer of that legal requirement before Processing.

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A. If Nudgy believes an instruction infringes Applicable Data Protection Laws, it will inform Customer.

3. Customer's obligations

Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which it acquired that data. Customer warrants that it has established a valid legal basis for the Processing, has provided all required notices, and has obtained all consents necessary for Nudgy to Process Customer Personal Data as contemplated by the Agreement, and that its instructions comply with Applicable Data Protection Laws.

4. Confidentiality

Nudgy will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality, have received appropriate data-protection training, and access Customer Personal Data only on a need-to-know basis to perform under the Agreement.

5. Security measures

Nudgy will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the Processing. A description of these measures is set out in Annex B. Nudgy may update its measures from time to time provided the updates do not materially reduce the overall level of security.

6. Subprocessors

Customer provides general written authorization for Nudgy to engage Subprocessors to Process Customer Personal Data. Nudgy:

  1. maintains a current list of Subprocessors on its Subprocessors page;
  2. imposes on each Subprocessor data-protection obligations no less protective than those in this DPA, by written contract;
  3. remains responsible for each Subprocessor's performance of its obligations to the same extent Nudgy would be liable if performing the services directly; and
  4. will give Customer prior notice (by updating the Subprocessors page) of the addition or replacement of any Subprocessor, giving Customer a reasonable opportunity to object on reasonable data-protection grounds before that Subprocessor begins Processing.

If Customer reasonably objects and the parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected portion of the Service.

7. Data Subject requests

Taking into account the nature of the Processing, Nudgy will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws. If Nudgy receives such a request directly, it will, unless legally required to respond, promptly inform the Data Subject to contact Customer and notify Customer of the request.

8. Personal Data Breach

Nudgy will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide Customer with information reasonably available to it to assist Customer in meeting its own breach-notification obligations to regulators and Data Subjects. Nudgy will take reasonable steps to mitigate and remediate the breach. Nudgy's notification is not an acknowledgement of fault or liability.

9. Assistance with assessments & consultations

Taking into account the nature of the Processing and the information available to Nudgy, Nudgy will provide reasonable assistance to Customer with data-protection impact assessments and any prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws.

10. International transfers

Customer authorizes Nudgy and its Subprocessors to transfer Customer Personal Data across borders as necessary to provide the Service. Where a transfer is subject to the GDPR and is made to a country without an adequacy decision, the parties agree that the SCCs (and the UK Addendum, where applicable) are incorporated into this DPA by reference and apply to that transfer. For transfers subject to PIPEDA, Nudgy uses contractual means to ensure a comparable level of protection while Customer Personal Data is being Processed by a Subprocessor.

11. Return & deletion

On termination or expiry of the Agreement, Nudgy will, at Customer's written election and within a reasonable period, delete or return Customer Personal Data and delete existing copies, except to the extent Nudgy is required by law to retain it or it is contained in routine backups, which are deleted on Nudgy's ordinary backup-rotation cycle. Personal Data retained as part of the immutable audit trail is kept for the period and purposes described in the Privacy Policy.

12. Audits

Nudgy will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Applicable Data Protection Laws require, and on reasonable prior written notice, Nudgy will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor it mandates, subject to reasonable confidentiality and security conditions, no more than once per year except where required by a supervisory authority or following a Personal Data Breach. Nudgy may satisfy this obligation by providing then-current third-party certifications or reports where available.

13. Liability, term & precedence

Each party's liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Agreement. This DPA takes effect on Customer's acceptance of the Agreement and continues for as long as Nudgy Processes Customer Personal Data. In the event of a conflict between this DPA and the remainder of the Agreement with respect to the Processing of Personal Data, this DPA prevails. Except as modified here, the Agreement remains in full force and effect, and this DPA is governed by the same law as the Agreement.

Annex A — Details of Processing

Subject matter and duration

Processing of Customer Personal Data contained in Customer Content for the purpose of providing the Service, for the duration of the Agreement and the retention periods described in the Privacy Policy.

Nature and purpose of Processing

Hosting, storage, retrieval, indexing, embedding, transmission to Subprocessors for AI analysis, generation and retention of Findings and the audit trail, and deletion — all solely to provide, secure, support, and maintain the Service.

Types of Personal Data

Personal Data incidentally contained in construction specifications and drawings (for example, names, professional designations, stamps, signatures, and contact details appearing in title blocks or revision histories), and the identity and contact details of Customer's authorized users (name, work email, and account identifiers).

Categories of Data Subjects

Customer's authorized users; and the design and construction professionals and other individuals whose details appear in Customer Content.

Parties

Controller: Customer (and any third-party Controller it represents). Processor: Nudgy, contact contact@nudgy.ca.

Annex B — Technical & organizational measures

Nudgy maintains measures including:

  • Encryption of Personal Data in transit (TLS) and at rest by the managed services that hold it;
  • Logical separation of data per organization and per project, enforced server-side on every query;
  • Least-privilege access controls, with privileged service credentials confined to trusted server-side infrastructure;
  • Isolated audit processing: documents are processed by isolated workers and held in private, access-controlled storage, separated per organization;
  • Use of reputable managed infrastructure and Subprocessors bound by their own security commitments;
  • Logging and monitoring to detect, investigate, and respond to security incidents; and
  • Procedures for breach detection, response, and notification.

Annex C — Subprocessors

The current list of authorized Subprocessors, including each one's purpose and processing location, is maintained at /subprocessors and is incorporated into this DPA by reference. Changes are handled as described in Section 6.

Questions about this page? Email contact@nudgy.ca.